1. Technical Field
The present invention relates to computer security in general, and in particular to a method for providing access control to computer networks. Still more particularly, the present invention relates to a method for providing access control to single sign-on computer networks.
2. Description of the Related Art
For a large institution, such as a corporation, university, etc., computer security has been primarily focused on stopping external threats. However, it is expected that more than 70% of all intrusions to a computer network within a large institution come from internal sources. In other words, the majority of the security threats to a computer network of a large institution comes from its own employees. Regardless of whether the intrusions to the computer network are intentional or not, such intrusions may end up costing the institution millions of dollars.
With external hackers, network administrators can use firewalls and/or other computer security tools to detect and stop intrusions to a computer network. But with internal “hackers,” network administrators are left without any useful tools to combat the intrusion problem because firewalls and other computer security tools are ineffective when the attacker is already inside the institution. In addition, network administrators must be able to maintain a delicate balance between access control and ease of access to a computer network. To that goal, a single sign-on approach is designed to simplify the process of accessing to resources within a computer network while maintaining access control to the computer network. With a single sign-on computer network, an employee can authenticate himself/herself to use most, if not all, resources within the computer network by simply signing on to the computer network once instead of logging on to various resources, such as the mail server, file server, web server, etc., separately.
With the single sign-on approach, a network administrator still has to define access permissions for each employee to each resource within the computer network initially. Such practice is prohibitively tedious from a network management standpoint as well as from a usability standpoint. In order to reduce setup time, employees may be divided into groups for the purpose of granting network access permissions. However, every employee within an institution is typically unique, and it is not uncommon to grant special access permissions to each employee in order to allow for individual circumstances, which in essence defeats the benefit of grouping. Besides, group permissions tend to be very restrictive and often limit employees' ability to perform their job efficiently. Because the current method of providing access control to a single sign-on system is both limiting and inefficient, it would be desirable to furnish an improved method for providing access control to a single sign-on computer system.